pkc_mls wrote:
carlopmart a écrit :
Thanks for your response Little Jun, but some observations:
a) this host have 2 GB RAM and when I push the policy, 60% of ram is
free. Then it isn't a RAM problem
b) It is a clean R70 SM installation, I don't upgrade anything. My
test policy only contains 25 objects and 10 rules. It is a really
really small policy to consume 99% cpu when I push the policy.
I have enabled on SM side only management and log. On security
gateway I have enabled only firewall and monitoring options: no VPN,
no IPS, no QoS. Maybe the problem is monitoring???
Somebody have tried to limit cpu usage for fwm??
Did you try to run the fwm load from the command line ?
You can also run the strace with the fwm load command and see what's
going on.
Ok, sorry for the delay response and i will try to response all questions:
a) running fwm from command line: "time fwm load Default_Policy smaug"
Installing CPMAD Policy On: localhost
CPMAD policy installed successfully on lugdunum...
CPMAD policy installation complete
CPMAD policy installation succeeded for:
lugdunum
Installing policy on R70 targets:
Default_Policy.W: Security Policy Script generated into Default_Policy.pf
Default_Policy:
Compiled OK.
Installing VPN-1/FireWall-1 policy on: smaug ...
VPN-1/FireWall-1 policy installed successfully on smaug...
VPN-1/FireWall-1 policy installation complete
VPN-1/FireWall-1 policy installation succeeded for:
smaug
real 1m10.624s
user 0m38.344s
sys 0m20.397s
b) cpu and ram resources used during compiling,loading,etc policy:
----total-cpu-usage---- ------memory-usage----- ----swap---
usr sys idl wai hiq siq| used buff cach free| used free
45 53 0 0 1 1| 453M 30M 239M 1.3G| 0 1537M
39 53 1 0 6 1| 458M 30M 240M 1.3G| 0 1537M
70 30 0 0 0 0| 475M 30M 241M 1.3G| 0 1537M
32 63 0 0 3 2| 459M 26M 236M 1.3G| 0 1537M
50 44 0 0 6 0| 467M 26M 236M 1.3G| 0 1537M
30 51 0 0 19 0| 478M 26M 236M 1.3G| 0 1537M
76 16 0 0 6 2| 480M 26M 236M 1.3G| 0 1537M
85 13 0 0 1 1| 482M 26M 236M 1.3G| 0 1537M
62 38 0 0 0 0| 487M 26M 236M 1.3G| 0 1537M
74 26 0 0 0 0| 494M 24M 231M 1.3G| 0 1537M
18 82 0 0 0 0| 445M 24M 231M 1.3G| 0 1537M
74 21 2 0 3 0| 445M 24M 231M 1.3G| 0 1537M
98 2 0 0 0 0| 445M 24M 222M 1.3G| 0 1537M
79 20 0 0 1 0| 445M 24M 230M 1.3G| 0 1537M
54 32 13 0 0 1| 448M 24M 201M 1.3G| 0 1537M
37 53 0 1 5 4| 461M 24M 201M 1.3G| 0 1537M
17 83 0 0 0 0| 476M 24M 201M 1.3G| 0 1537M
66 33 0 0 1 0| 481M 24M 201M 1.3G| 0 1537M
68 15 12 0 3 2| 478M 24M 201M 1.3G| 0 1537M
41 51 1 2 3 2| 492M 24M 201M 1.3G| 0 1537M
56 37 0 0 6 1| 497M 24M 201M 1.3G| 0 1537M
81 10 10 0 0 0| 497M 24M 201M 1.3G| 0 1537M
Cpu is idle at 0% most part of the time ... It is simply awesome!! ...
Little Lun, upgrade hardware??? Is it not sufficient a server with
QuadCore Cpu and 2GB of RAM for a R70 security management?? Then, which
type of hardware i need to use: 4 QuadCores with 16 TB of RAM :))??.
I have some vmware servers running three and four virtual machines using
worst hardware and all works ok. Sorry, but it is not acceptable.
Tom, I have configured security gateway to keep all connections (and in
a production environment we need to keep all connections when pushing
policies)... but this can't increase cpu load at this momment because
all is installed on a isolated network ...
Remember that I have using 25 objects and 10 rules only .... Ok more
info. I have installed under one ESxi server a rhel4 Smartcenter server
using NGX R65 HFA40 (with only 768MB of RAM) and result is: 15 secs to
load same policy on a virtualized rhel3 R65 HFA40 with 512MB of RAM...
Incredible!!.
And another example. I have two production environments with Sotnegate
firewalls (configured with clustering). On both cluster exists more than
600 objects and 300 rules with monitoring enabled and keeping all
connections when I push a new policy package... time to load a policy on
this environments: 45 secs ... and I am using worst hardware on the
stonegate management than I use to R70 ...
Sorry, but for me, these results are bad and unacceptable.
I can't open a TAC because I am using trial versions. I am evaluating
R70 platform to deploy a new production environment but with these
results ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
